[apple/xnu.git] / bsd / netinet6 / esp_chachapoly.c

/*
 * Copyright (c) 2017 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <sys/syslog.h>
#include <sys/errno.h>
#include <sys/mbuf.h>
#include <sys/mcache.h>
#include <mach/vm_param.h>
#include <kern/locks.h>
#include <string.h>
#include <net/if.h>
#include <net/route.h>
#include <net/net_osdep.h>
#include <netinet6/ipsec.h>
#include <netinet6/esp.h>
#include <netinet6/esp_chachapoly.h>
#include <netkey/key.h>
#include <netkey/keydb.h>
#include <corecrypto/cc.h>
#include <libkern/crypto/chacha20poly1305.h>

#define ESP_CHACHAPOLY_SALT_LEN		4
#define ESP_CHACHAPOLY_KEY_LEN		32
#define ESP_CHACHAPOLY_NONCE_LEN	12

// The minimum alignment is documented in KALLOC_LOG2_MINALIGN
// which isn't accessible from here. Current minimum is 8.
_Static_assert(_Alignof(chacha20poly1305_ctx) <= 8,
			   "Alignment guarantee is broken");

#if ((( 8 * (ESP_CHACHAPOLY_KEY_LEN + ESP_CHACHAPOLY_SALT_LEN)) != ESP_CHACHAPOLY_KEYBITS_WITH_SALT) || \
	(ESP_CHACHAPOLY_KEY_LEN != CCCHACHA20_KEY_NBYTES) || \
	(ESP_CHACHAPOLY_NONCE_LEN != CCCHACHA20POLY1305_NONCE_NBYTES))
#error "Invalid sizes"
#endif

extern lck_mtx_t *sadb_mutex;

typedef struct _esp_chachapoly_ctx {
	chacha20poly1305_ctx ccp_ctx;
	uint8_t ccp_salt[ESP_CHACHAPOLY_SALT_LEN];
	bool ccp_implicit_iv;
} esp_chachapoly_ctx_s, *esp_chachapoly_ctx_t;


#define ESP_ASSERT(_cond, _format, ...)											\
	do {																		\
		if (!(_cond)) {															\
			panic("%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__);		\
		}																		\
	} while (0)

#define ESP_CHECK_ARG(_arg) ESP_ASSERT(_arg != NULL, #_arg "is NULL")

#define _esp_log(_level, _format, ...)  \
	log(_level, "%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__)
#define esp_log_err(_format, ...) _esp_log(LOG_ERR, _format, ##__VA_ARGS__)

#define _esp_packet_log(_level, _format, ...)  \
	ipseclog((_level, "%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__))
#define esp_packet_log_err(_format, ...) _esp_packet_log(LOG_ERR, _format, ##__VA_ARGS__)

int
esp_chachapoly_mature(struct secasvar *sav)
{
	const struct esp_algorithm *algo;

	ESP_CHECK_ARG(sav);

	if ((sav->flags & SADB_X_EXT_OLD) != 0) {
		esp_log_err("ChaChaPoly is incompatible with SADB_X_EXT_OLD");
		return 1;
	}
	if ((sav->flags & SADB_X_EXT_DERIV) != 0) {
		esp_log_err("ChaChaPoly is incompatible with SADB_X_EXT_DERIV");
		return 1;
	}

	if (sav->alg_enc != SADB_X_EALG_CHACHA20POLY1305) {
		esp_log_err("ChaChaPoly unsupported algorithm %d",
					sav->alg_enc);
		return 1;
	}

	if (sav->key_enc == NULL) {
		esp_log_err("ChaChaPoly key is missing");
		return 1;
	}

	algo = esp_algorithm_lookup(sav->alg_enc);
	if (algo == NULL) {
		esp_log_err("ChaChaPoly lookup failed for algorithm %d",
					sav->alg_enc);
		return 1;
	}

	if (sav->key_enc->sadb_key_bits != ESP_CHACHAPOLY_KEYBITS_WITH_SALT) {
		esp_log_err("ChaChaPoly invalid key length %d bits",
					sav->key_enc->sadb_key_bits);
		return 1;
	}

	return 0;
}

int
esp_chachapoly_schedlen(__unused const struct esp_algorithm *algo)
{
	return sizeof(esp_chachapoly_ctx_s);
}

int
esp_chachapoly_schedule(__unused const struct esp_algorithm *algo,
						struct secasvar *sav)
{
	esp_chachapoly_ctx_t esp_ccp_ctx;
	int rc = 0;

	ESP_CHECK_ARG(sav);
	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
		esp_log_err("Invalid ivlen %u", sav->ivlen);
		return EINVAL;
	}
	if (_KEYLEN(sav->key_enc) != ESP_CHACHAPOLY_KEY_LEN + ESP_CHACHAPOLY_SALT_LEN) {
		esp_log_err("Invalid key len %u", _KEYLEN(sav->key_enc));
		return EINVAL;
	}
	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;

	rc = chacha20poly1305_init(&esp_ccp_ctx->ccp_ctx,
							   (const uint8_t *)_KEYBUF(sav->key_enc));
	if (rc != 0) {
		esp_log_err("chacha20poly1305_init returned %d", rc);
		return rc;
	}

	memcpy(esp_ccp_ctx->ccp_salt,
		   (const uint8_t *)_KEYBUF(sav->key_enc) + ESP_CHACHAPOLY_KEY_LEN,
		   sizeof(esp_ccp_ctx->ccp_salt));

	esp_ccp_ctx->ccp_implicit_iv = ((sav->flags & SADB_X_EXT_IIV) != 0);

	return 0;
}

int
esp_chachapoly_encrypt_finalize(struct secasvar *sav,
								unsigned char *tag,
								unsigned int tag_bytes)
{
	esp_chachapoly_ctx_t esp_ccp_ctx;
	int rc = 0;

	ESP_CHECK_ARG(sav);
	ESP_CHECK_ARG(tag);
	if (tag_bytes != ESP_CHACHAPOLY_ICV_LEN) {
		esp_log_err("Invalid tag_bytes %u", tag_bytes);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	rc = chacha20poly1305_finalize(&esp_ccp_ctx->ccp_ctx, tag);
	if (rc != 0) {
		esp_log_err("chacha20poly1305_finalize returned %d", rc);
		return rc;
	}
	return 0;
}

int
esp_chachapoly_decrypt_finalize(struct secasvar *sav,
								unsigned char *tag,
								unsigned int tag_bytes)
{
	esp_chachapoly_ctx_t esp_ccp_ctx;
	int rc = 0;

	ESP_CHECK_ARG(sav);
	ESP_CHECK_ARG(tag);
	if (tag_bytes != ESP_CHACHAPOLY_ICV_LEN) {
		esp_log_err("Invalid tag_bytes %u", tag_bytes);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	rc = chacha20poly1305_verify(&esp_ccp_ctx->ccp_ctx, tag);
	if (rc != 0) {
		esp_log_err("chacha20poly1305_finalize returned %d", rc);
		return rc;
	}
	return 0;
}

int
esp_chachapoly_encrypt(struct mbuf *m, // head of mbuf chain
					   size_t off, // offset to ESP header
					   __unused size_t plen,
					   struct secasvar *sav,
					   __unused const struct esp_algorithm *algo,
					   int ivlen)
{
	struct mbuf *s = m; // this mbuf
	int32_t soff = 0; // offset from the head of mbuf chain (m) to head of this mbuf (s)
	int32_t sn = 0; // offset from the head of this mbuf (s) to the body
	uint8_t *sp; // buffer of a given encryption round
	size_t len; // length of a given encryption round
	const int32_t ivoff = (int32_t)off + (int32_t)sizeof(struct newesp); // IV offset
	int32_t bodyoff; // body offset
	int rc = 0; // return code of corecrypto operations
	struct newesp esp_hdr; // ESP header for AAD
	_Static_assert(sizeof(esp_hdr) == 8, "Bad size");
	uint8_t nonce[ESP_CHACHAPOLY_NONCE_LEN];
	esp_chachapoly_ctx_t esp_ccp_ctx;

	ESP_CHECK_ARG(m);
	ESP_CHECK_ARG(sav);
	if (ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid ivlen %u", ivlen);
		return EINVAL;
	}
	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid sav->ivlen %u", sav->ivlen);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	if (esp_ccp_ctx->ccp_implicit_iv) {
		bodyoff = ivoff;
	} else {
		bodyoff = ivoff + ivlen;
	}
	// check if total packet length is enough to contain ESP + IV
	if (m->m_pkthdr.len < bodyoff) {
		esp_log_err("Packet too short %d < %zu", m->m_pkthdr.len, bodyoff);
		m_freem(m);
		return EINVAL;
	}

	rc = chacha20poly1305_reset(&esp_ccp_ctx->ccp_ctx);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_reset failed %d", rc);
		return rc;
	}

	// RFC 7634 dictates that the 12 byte nonce must be
	// the 4 byte salt followed by the 8 byte IV.
	// The IV MUST be non-repeating but does not need to be unpredictable,
	// so we use 4 bytes of 0 followed by the 4 byte ESP sequence number.
	// this allows us to use implicit IV -- draft-mglt-ipsecme-implicit-iv
	memset(sav->iv, 0, 4);
	memcpy(sav->iv + 4, &sav->seq, sizeof(sav->seq));
	_Static_assert(4 + sizeof(sav->seq) == ESP_CHACHAPOLY_IV_LEN,
				   "Bad IV length");
	memcpy(nonce, esp_ccp_ctx->ccp_salt, ESP_CHACHAPOLY_SALT_LEN);
	memcpy(nonce + ESP_CHACHAPOLY_SALT_LEN, sav->iv, ESP_CHACHAPOLY_IV_LEN);
	_Static_assert(ESP_CHACHAPOLY_SALT_LEN + ESP_CHACHAPOLY_IV_LEN == sizeof(nonce),
				   "Bad nonce length");

	rc = chacha20poly1305_setnonce(&esp_ccp_ctx->ccp_ctx, nonce);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_setnonce failed %d", rc);
		return rc;
	}

	if (!esp_ccp_ctx->ccp_implicit_iv) {
		m_copyback(m, ivoff, ivlen, sav->iv);
	}
	cc_clear(sizeof(nonce), nonce);

	// Set Additional Authentication Data (AAD)
	m_copydata(m, (int)off, sizeof(esp_hdr), (void *)&esp_hdr);

	rc = chacha20poly1305_aad(&esp_ccp_ctx->ccp_ctx,
							  sizeof(esp_hdr),
							  (void *)&esp_hdr);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_aad failed %d", rc);
		return rc;
	}

	// skip headers/IV
	while (s != NULL && soff < bodyoff) {
		if (soff + s->m_len > bodyoff) {
			sn = bodyoff - soff;
			break;
		}

		soff += s->m_len;
		s = s->m_next;
	}

	while (s != NULL && soff < m->m_pkthdr.len) {
		len = (size_t)(s->m_len - sn);
		if (len == 0) {
			// skip empty mbufs
			continue;
		}
		sp = mtod(s, uint8_t *) + sn;

		rc = chacha20poly1305_encrypt(&esp_ccp_ctx->ccp_ctx,
									  len, sp, sp);
		if (rc != 0) {
			m_freem(m);
			esp_log_err("chacha20poly1305_encrypt failed %d", rc);
			return rc;
		}

		sn = 0;
		soff += s->m_len;
		s = s->m_next;
	}
	if (s == NULL && soff != m->m_pkthdr.len) {
		m_freem(m);
		esp_log_err("not enough mbufs %d %d", soff, m->m_pkthdr.len);
		return EFBIG;
	}
	return 0;
}

int
esp_chachapoly_decrypt(struct mbuf *m, // head of mbuf chain
					   size_t off, // offset to ESP header
					   struct secasvar *sav,
					   __unused const struct esp_algorithm *algo,
					   int ivlen)
{
	struct mbuf *s = m; // this mbuf
	int32_t soff = 0; // offset from the head of mbuf chain (m) to head of this mbuf (s)
	int32_t sn = 0; // offset from the head of this mbuf (s) to the body
	uint8_t *sp; // buffer of a given encryption round
	size_t len; // length of a given encryption round
	const int32_t ivoff = (int32_t)off + (int32_t)sizeof(struct newesp); // IV offset
	int32_t bodyoff; // body offset
	int rc = 0; // return code of corecrypto operations
	struct newesp esp_hdr; // ESP header for AAD
	_Static_assert(sizeof(esp_hdr) == 8, "Bad size");
	uint8_t nonce[ESP_CHACHAPOLY_NONCE_LEN];
	esp_chachapoly_ctx_t esp_ccp_ctx;

	ESP_CHECK_ARG(m);
	ESP_CHECK_ARG(sav);
	if (ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid ivlen %u", ivlen);
		return EINVAL;
	}
	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
		m_freem(m);
		esp_log_err("Invalid sav->ivlen %u", sav->ivlen);
		return EINVAL;
	}

	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
	if (esp_ccp_ctx->ccp_implicit_iv) {
		bodyoff = ivoff;
	} else {
		bodyoff = ivoff + ivlen;
	}
	// check if total packet length is enough to contain ESP + IV
	if (m->m_pkthdr.len < bodyoff) {
		esp_packet_log_err("Packet too short %d < %zu", m->m_pkthdr.len, bodyoff);
		m_freem(m);
		return EINVAL;
	}

	rc = chacha20poly1305_reset(&esp_ccp_ctx->ccp_ctx);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_reset failed %d", rc);
		return rc;
	}

	m_copydata(m, (int)off, sizeof(esp_hdr), (void *)&esp_hdr);

	// RFC 7634 dictates that the 12 byte nonce must be
	// the 4 byte salt followed by the 8 byte IV.
	memcpy(nonce, esp_ccp_ctx->ccp_salt, ESP_CHACHAPOLY_SALT_LEN);
	if (esp_ccp_ctx->ccp_implicit_iv) {
		// IV is implicit (4 zero bytes followed by the ESP sequence number)
		memset(nonce + ESP_CHACHAPOLY_SALT_LEN, 0, 4);
		memcpy(nonce + ESP_CHACHAPOLY_SALT_LEN + 4, &esp_hdr.esp_seq, sizeof(esp_hdr.esp_seq));
		_Static_assert(4 + sizeof(esp_hdr.esp_seq) == ESP_CHACHAPOLY_IV_LEN, "Bad IV length");
	} else {
		// copy IV from packet
		m_copydata(m, ivoff, ESP_CHACHAPOLY_IV_LEN, nonce + ESP_CHACHAPOLY_SALT_LEN);
	}
	_Static_assert(ESP_CHACHAPOLY_SALT_LEN + ESP_CHACHAPOLY_IV_LEN == sizeof(nonce),
				   "Bad nonce length");

	rc = chacha20poly1305_setnonce(&esp_ccp_ctx->ccp_ctx, nonce);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_setnonce failed %d", rc);
		return rc;
	}
	cc_clear(sizeof(nonce), nonce);

	// Set Additional Authentication Data (AAD)
	rc = chacha20poly1305_aad(&esp_ccp_ctx->ccp_ctx,
							  sizeof(esp_hdr),
							  (void *)&esp_hdr);
	if (rc != 0) {
		m_freem(m);
		esp_log_err("chacha20poly1305_aad failed %d", rc);
		return rc;
	}

	// skip headers/IV
	while (s != NULL && soff < bodyoff) {
		if (soff + s->m_len > bodyoff) {
			sn = bodyoff - soff;
			break;
		}

		soff += s->m_len;
		s = s->m_next;
	}

	while (s != NULL && soff < m->m_pkthdr.len) {
		len = (size_t)(s->m_len - sn);
		if (len == 0) {
			// skip empty mbufs
			continue;
		}
		sp = mtod(s, uint8_t *) + sn;

		rc = chacha20poly1305_decrypt(&esp_ccp_ctx->ccp_ctx,
									  len, sp, sp);
		if (rc != 0) {
			m_freem(m);
			esp_packet_log_err("chacha20poly1305_decrypt failed %d", rc);
			return rc;
		}

		sn = 0;
		soff += s->m_len;
		s = s->m_next;
	}
	if (s == NULL && soff != m->m_pkthdr.len) {
		m_freem(m);
		esp_packet_log_err("not enough mbufs %d %d", soff, m->m_pkthdr.len);
		return EFBIG;
	}
	return 0;
}
Commit	Line	Data
5ba3f43e A	1	/*
	2	* Copyright (c) 2017 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#include <sys/param.h>
	30	#include <sys/systm.h>
	31	#include <sys/socket.h>
	32	#include <sys/queue.h>
	33	#include <sys/syslog.h>
	34	#include <sys/errno.h>
	35	#include <sys/mbuf.h>
	36	#include <sys/mcache.h>
	37	#include <mach/vm_param.h>
	38	#include <kern/locks.h>
	39	#include <string.h>
	40	#include <net/if.h>
	41	#include <net/route.h>
	42	#include <net/net_osdep.h>
	43	#include <netinet6/ipsec.h>
	44	#include <netinet6/esp.h>
	45	#include <netinet6/esp_chachapoly.h>
	46	#include <netkey/key.h>
	47	#include <netkey/keydb.h>
	48	#include <corecrypto/cc.h>
	49	#include <libkern/crypto/chacha20poly1305.h>
	50
	51	#define ESP_CHACHAPOLY_SALT_LEN 4
	52	#define ESP_CHACHAPOLY_KEY_LEN 32
	53	#define ESP_CHACHAPOLY_NONCE_LEN 12
	54
	55	// The minimum alignment is documented in KALLOC_LOG2_MINALIGN
	56	// which isn't accessible from here. Current minimum is 8.
	57	_Static_assert(_Alignof(chacha20poly1305_ctx) <= 8,
	58	"Alignment guarantee is broken");
	59
	60	#if ((( 8 * (ESP_CHACHAPOLY_KEY_LEN + ESP_CHACHAPOLY_SALT_LEN)) != ESP_CHACHAPOLY_KEYBITS_WITH_SALT) \|\| \
	61	(ESP_CHACHAPOLY_KEY_LEN != CCCHACHA20_KEY_NBYTES) \|\| \
	62	(ESP_CHACHAPOLY_NONCE_LEN != CCCHACHA20POLY1305_NONCE_NBYTES))
	63	#error "Invalid sizes"
	64	#endif
65
66	extern lck_mtx_t *sadb_mutex;
67
68	typedef struct _esp_chachapoly_ctx {
69	chacha20poly1305_ctx ccp_ctx;
70	uint8_t ccp_salt[ESP_CHACHAPOLY_SALT_LEN];
71	bool ccp_implicit_iv;
72	} esp_chachapoly_ctx_s, *esp_chachapoly_ctx_t;
73
74
75	#define ESP_ASSERT(_cond, _format, ...) \
76	do { \
77	if (!(_cond)) { \
78	panic("%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__); \
79	} \
80	} while (0)
81
82	#define ESP_CHECK_ARG(_arg) ESP_ASSERT(_arg != NULL, #_arg "is NULL")
83
84	#define _esp_log(_level, _format, ...) \
85	log(_level, "%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__)
86	#define esp_log_err(_format, ...) _esp_log(LOG_ERR, _format, ##__VA_ARGS__)
87
88	#define _esp_packet_log(_level, _format, ...) \
89	ipseclog((_level, "%s:%d " _format, __FUNCTION__, __LINE__, ##__VA_ARGS__))
90	#define esp_packet_log_err(_format, ...) _esp_packet_log(LOG_ERR, _format, ##__VA_ARGS__)
91
92	int
93	esp_chachapoly_mature(struct secasvar *sav)
94	{
95	const struct esp_algorithm *algo;
96
97	ESP_CHECK_ARG(sav);
98
99	if ((sav->flags & SADB_X_EXT_OLD) != 0) {
100	esp_log_err("ChaChaPoly is incompatible with SADB_X_EXT_OLD");
101	return 1;
102	}
103	if ((sav->flags & SADB_X_EXT_DERIV) != 0) {
104	esp_log_err("ChaChaPoly is incompatible with SADB_X_EXT_DERIV");
105	return 1;
106	}
107
108	if (sav->alg_enc != SADB_X_EALG_CHACHA20POLY1305) {
109	esp_log_err("ChaChaPoly unsupported algorithm %d",
110	sav->alg_enc);
111	return 1;
112	}
113
114	if (sav->key_enc == NULL) {
115	esp_log_err("ChaChaPoly key is missing");
116	return 1;
117	}
118
119	algo = esp_algorithm_lookup(sav->alg_enc);
120	if (algo == NULL) {
121	esp_log_err("ChaChaPoly lookup failed for algorithm %d",
122	sav->alg_enc);
123	return 1;
124	}
125
126	if (sav->key_enc->sadb_key_bits != ESP_CHACHAPOLY_KEYBITS_WITH_SALT) {
127	esp_log_err("ChaChaPoly invalid key length %d bits",
128	sav->key_enc->sadb_key_bits);
129	return 1;
130	}
131
132	return 0;
133	}
134
135	int
136	esp_chachapoly_schedlen(__unused const struct esp_algorithm *algo)
137	{
138	return sizeof(esp_chachapoly_ctx_s);
139	}
140
141	int
142	esp_chachapoly_schedule(__unused const struct esp_algorithm *algo,
143	struct secasvar *sav)
144	{
145	esp_chachapoly_ctx_t esp_ccp_ctx;
146	int rc = 0;
147
148	ESP_CHECK_ARG(sav);
149	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
150	esp_log_err("Invalid ivlen %u", sav->ivlen);
151	return EINVAL;
152	}
153	if (_KEYLEN(sav->key_enc) != ESP_CHACHAPOLY_KEY_LEN + ESP_CHACHAPOLY_SALT_LEN) {
154	esp_log_err("Invalid key len %u", _KEYLEN(sav->key_enc));
155	return EINVAL;
156	}
157	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_OWNED);
158
159	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
160
161	rc = chacha20poly1305_init(&esp_ccp_ctx->ccp_ctx,
162	(const uint8_t *)_KEYBUF(sav->key_enc));
163	if (rc != 0) {
164	esp_log_err("chacha20poly1305_init returned %d", rc);
165	return rc;
166	}
167
168	memcpy(esp_ccp_ctx->ccp_salt,
169	(const uint8_t *)_KEYBUF(sav->key_enc) + ESP_CHACHAPOLY_KEY_LEN,
170	sizeof(esp_ccp_ctx->ccp_salt));
171
172	esp_ccp_ctx->ccp_implicit_iv = ((sav->flags & SADB_X_EXT_IIV) != 0);
173
174	return 0;
175	}
176
177	int
178	esp_chachapoly_encrypt_finalize(struct secasvar *sav,
179	unsigned char *tag,
180	unsigned int tag_bytes)
181	{
182	esp_chachapoly_ctx_t esp_ccp_ctx;
183	int rc = 0;
184
185	ESP_CHECK_ARG(sav);
186	ESP_CHECK_ARG(tag);
187	if (tag_bytes != ESP_CHACHAPOLY_ICV_LEN) {
188	esp_log_err("Invalid tag_bytes %u", tag_bytes);
189	return EINVAL;
190	}
191
192	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
193	rc = chacha20poly1305_finalize(&esp_ccp_ctx->ccp_ctx, tag);
194	if (rc != 0) {
195	esp_log_err("chacha20poly1305_finalize returned %d", rc);
196	return rc;
197	}
198	return 0;
199	}
200
201	int
202	esp_chachapoly_decrypt_finalize(struct secasvar *sav,
203	unsigned char *tag,
204	unsigned int tag_bytes)
205	{
206	esp_chachapoly_ctx_t esp_ccp_ctx;
207	int rc = 0;
208
209	ESP_CHECK_ARG(sav);
210	ESP_CHECK_ARG(tag);
211	if (tag_bytes != ESP_CHACHAPOLY_ICV_LEN) {
212	esp_log_err("Invalid tag_bytes %u", tag_bytes);
213	return EINVAL;
214	}
215
216	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
217	rc = chacha20poly1305_verify(&esp_ccp_ctx->ccp_ctx, tag);
218	if (rc != 0) {
219	esp_log_err("chacha20poly1305_finalize returned %d", rc);
220	return rc;
221	}
222	return 0;
223	}
224
225	int
226	esp_chachapoly_encrypt(struct mbuf *m, // head of mbuf chain
227	size_t off, // offset to ESP header
228	__unused size_t plen,
229	struct secasvar *sav,
230	__unused const struct esp_algorithm *algo,
231	int ivlen)
232	{
233	struct mbuf *s = m; // this mbuf
234	int32_t soff = 0; // offset from the head of mbuf chain (m) to head of this mbuf (s)
235	int32_t sn = 0; // offset from the head of this mbuf (s) to the body
236	uint8_t *sp; // buffer of a given encryption round
237	size_t len; // length of a given encryption round
238	const int32_t ivoff = (int32_t)off + (int32_t)sizeof(struct newesp); // IV offset
239	int32_t bodyoff; // body offset
240	int rc = 0; // return code of corecrypto operations
241	struct newesp esp_hdr; // ESP header for AAD
242	_Static_assert(sizeof(esp_hdr) == 8, "Bad size");
243	uint8_t nonce[ESP_CHACHAPOLY_NONCE_LEN];
244	esp_chachapoly_ctx_t esp_ccp_ctx;
245
246	ESP_CHECK_ARG(m);
247	ESP_CHECK_ARG(sav);
248	if (ivlen != ESP_CHACHAPOLY_IV_LEN) {
249	m_freem(m);
250	esp_log_err("Invalid ivlen %u", ivlen);
251	return EINVAL;
252	}
253	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
254	m_freem(m);
255	esp_log_err("Invalid sav->ivlen %u", sav->ivlen);
256	return EINVAL;
257	}
258
259	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
260	if (esp_ccp_ctx->ccp_implicit_iv) {
261	bodyoff = ivoff;
262	} else {
263	bodyoff = ivoff + ivlen;
264	}
265	// check if total packet length is enough to contain ESP + IV
266	if (m->m_pkthdr.len < bodyoff) {
267	esp_log_err("Packet too short %d < %zu", m->m_pkthdr.len, bodyoff);
268	m_freem(m);
269	return EINVAL;
270	}
271
272	rc = chacha20poly1305_reset(&esp_ccp_ctx->ccp_ctx);
273	if (rc != 0) {
274	m_freem(m);
275	esp_log_err("chacha20poly1305_reset failed %d", rc);
276	return rc;
277	}
278
279	// RFC 7634 dictates that the 12 byte nonce must be
280	// the 4 byte salt followed by the 8 byte IV.
281	// The IV MUST be non-repeating but does not need to be unpredictable,
282	// so we use 4 bytes of 0 followed by the 4 byte ESP sequence number.
283	// this allows us to use implicit IV -- draft-mglt-ipsecme-implicit-iv
284	memset(sav->iv, 0, 4);
285	memcpy(sav->iv + 4, &sav->seq, sizeof(sav->seq));
286	_Static_assert(4 + sizeof(sav->seq) == ESP_CHACHAPOLY_IV_LEN,
287	"Bad IV length");
288	memcpy(nonce, esp_ccp_ctx->ccp_salt, ESP_CHACHAPOLY_SALT_LEN);
289	memcpy(nonce + ESP_CHACHAPOLY_SALT_LEN, sav->iv, ESP_CHACHAPOLY_IV_LEN);
290	_Static_assert(ESP_CHACHAPOLY_SALT_LEN + ESP_CHACHAPOLY_IV_LEN == sizeof(nonce),
291	"Bad nonce length");
292
293	rc = chacha20poly1305_setnonce(&esp_ccp_ctx->ccp_ctx, nonce);
294	if (rc != 0) {
295	m_freem(m);
296	esp_log_err("chacha20poly1305_setnonce failed %d", rc);
297	return rc;
298	}
299
300	if (!esp_ccp_ctx->ccp_implicit_iv) {
301	m_copyback(m, ivoff, ivlen, sav->iv);
302	}
303	cc_clear(sizeof(nonce), nonce);
304
305	// Set Additional Authentication Data (AAD)
306	m_copydata(m, (int)off, sizeof(esp_hdr), (void *)&esp_hdr);
307
308	rc = chacha20poly1305_aad(&esp_ccp_ctx->ccp_ctx,
309	sizeof(esp_hdr),
310	(void *)&esp_hdr);
311	if (rc != 0) {
312	m_freem(m);
313	esp_log_err("chacha20poly1305_aad failed %d", rc);
314	return rc;
315	}
316
317	// skip headers/IV
318	while (s != NULL && soff < bodyoff) {
319	if (soff + s->m_len > bodyoff) {
320	sn = bodyoff - soff;
321	break;
322	}
323
324	soff += s->m_len;
325	s = s->m_next;
326	}
327
328	while (s != NULL && soff < m->m_pkthdr.len) {
329	len = (size_t)(s->m_len - sn);
330	if (len == 0) {
331	// skip empty mbufs
332	continue;
333	}
334	sp = mtod(s, uint8_t *) + sn;
335
336	rc = chacha20poly1305_encrypt(&esp_ccp_ctx->ccp_ctx,
337	len, sp, sp);
338	if (rc != 0) {
339	m_freem(m);
340	esp_log_err("chacha20poly1305_encrypt failed %d", rc);
341	return rc;
342	}
343
344	sn = 0;
345	soff += s->m_len;
346	s = s->m_next;
347	}
348	if (s == NULL && soff != m->m_pkthdr.len) {
349	m_freem(m);
350	esp_log_err("not enough mbufs %d %d", soff, m->m_pkthdr.len);
351	return EFBIG;
352	}
353	return 0;
354	}
355
356	int
357	esp_chachapoly_decrypt(struct mbuf *m, // head of mbuf chain
358	size_t off, // offset to ESP header
359	struct secasvar *sav,
360	__unused const struct esp_algorithm *algo,
361	int ivlen)
362	{
363	struct mbuf *s = m; // this mbuf
364	int32_t soff = 0; // offset from the head of mbuf chain (m) to head of this mbuf (s)
365	int32_t sn = 0; // offset from the head of this mbuf (s) to the body
366	uint8_t *sp; // buffer of a given encryption round
367	size_t len; // length of a given encryption round
368	const int32_t ivoff = (int32_t)off + (int32_t)sizeof(struct newesp); // IV offset
369	int32_t bodyoff; // body offset
370	int rc = 0; // return code of corecrypto operations
371	struct newesp esp_hdr; // ESP header for AAD
372	_Static_assert(sizeof(esp_hdr) == 8, "Bad size");
373	uint8_t nonce[ESP_CHACHAPOLY_NONCE_LEN];
374	esp_chachapoly_ctx_t esp_ccp_ctx;
375
376	ESP_CHECK_ARG(m);
377	ESP_CHECK_ARG(sav);
378	if (ivlen != ESP_CHACHAPOLY_IV_LEN) {
379	m_freem(m);
380	esp_log_err("Invalid ivlen %u", ivlen);
381	return EINVAL;
382	}
383	if (sav->ivlen != ESP_CHACHAPOLY_IV_LEN) {
384	m_freem(m);
385	esp_log_err("Invalid sav->ivlen %u", sav->ivlen);
386	return EINVAL;
387	}
388
389	esp_ccp_ctx = (esp_chachapoly_ctx_t)sav->sched;
390	if (esp_ccp_ctx->ccp_implicit_iv) {
391	bodyoff = ivoff;
392	} else {
393	bodyoff = ivoff + ivlen;
394	}
395	// check if total packet length is enough to contain ESP + IV
396	if (m->m_pkthdr.len < bodyoff) {
397	esp_packet_log_err("Packet too short %d < %zu", m->m_pkthdr.len, bodyoff);
398	m_freem(m);
399	return EINVAL;
400	}
401
402	rc = chacha20poly1305_reset(&esp_ccp_ctx->ccp_ctx);
403	if (rc != 0) {
404	m_freem(m);
405	esp_log_err("chacha20poly1305_reset failed %d", rc);
406	return rc;
407	}
408
409	m_copydata(m, (int)off, sizeof(esp_hdr), (void *)&esp_hdr);
410
411	// RFC 7634 dictates that the 12 byte nonce must be
412	// the 4 byte salt followed by the 8 byte IV.
413	memcpy(nonce, esp_ccp_ctx->ccp_salt, ESP_CHACHAPOLY_SALT_LEN);
414	if (esp_ccp_ctx->ccp_implicit_iv) {
415	// IV is implicit (4 zero bytes followed by the ESP sequence number)
416	memset(nonce + ESP_CHACHAPOLY_SALT_LEN, 0, 4);
417	memcpy(nonce + ESP_CHACHAPOLY_SALT_LEN + 4, &esp_hdr.esp_seq, sizeof(esp_hdr.esp_seq));
418	_Static_assert(4 + sizeof(esp_hdr.esp_seq) == ESP_CHACHAPOLY_IV_LEN, "Bad IV length");
419	} else {
420	// copy IV from packet
421	m_copydata(m, ivoff, ESP_CHACHAPOLY_IV_LEN, nonce + ESP_CHACHAPOLY_SALT_LEN);
422	}
423	_Static_assert(ESP_CHACHAPOLY_SALT_LEN + ESP_CHACHAPOLY_IV_LEN == sizeof(nonce),
424	"Bad nonce length");
425
426	rc = chacha20poly1305_setnonce(&esp_ccp_ctx->ccp_ctx, nonce);
427	if (rc != 0) {
428	m_freem(m);
429	esp_log_err("chacha20poly1305_setnonce failed %d", rc);
430	return rc;
431	}
432	cc_clear(sizeof(nonce), nonce);
433
434	// Set Additional Authentication Data (AAD)
435	rc = chacha20poly1305_aad(&esp_ccp_ctx->ccp_ctx,
436	sizeof(esp_hdr),
437	(void *)&esp_hdr);
438	if (rc != 0) {
439	m_freem(m);
440	esp_log_err("chacha20poly1305_aad failed %d", rc);
441	return rc;
442	}
443
444	// skip headers/IV
445	while (s != NULL && soff < bodyoff) {
446	if (soff + s->m_len > bodyoff) {
447	sn = bodyoff - soff;
448	break;
449	}
450
451	soff += s->m_len;
452	s = s->m_next;
453	}
454
455	while (s != NULL && soff < m->m_pkthdr.len) {
456	len = (size_t)(s->m_len - sn);
457	if (len == 0) {
458	// skip empty mbufs
459	continue;
460	}
461	sp = mtod(s, uint8_t *) + sn;
462
463	rc = chacha20poly1305_decrypt(&esp_ccp_ctx->ccp_ctx,
464	len, sp, sp);
465	if (rc != 0) {
466	m_freem(m);
467	esp_packet_log_err("chacha20poly1305_decrypt failed %d", rc);
468	return rc;
469	}
470
471	sn = 0;
472	soff += s->m_len;
473	s = s->m_next;
474	}
475	if (s == NULL && soff != m->m_pkthdr.len) {
476	m_freem(m);
477	esp_packet_log_err("not enough mbufs %d %d", soff, m->m_pkthdr.len);
478	return EFBIG;
479	}
480	return 0;
481	}